I would like help for Freeradius integration on AD domain
ID 72 with timestamp +87 Ready to process requests. #by eddy: trying authenticating: radiust...@ulssve.lan with CHAP encryption rad_recv: Access-Request packet from host 172.30.100.2 port 54247, id=15, length=157 User-Name = radiust...@ulssve.lan CHAP-Challenge = 0xd4ab0707d4ab0707d4ab0707d4ab0707 CHAP-Password = 0x0057dc83b55c66b3ae5f6442d8c52f2d89 NAS-IP-Address = 172.30.100.2 NAS-Identifier = GGSN-RM5 Called-Station-Id = ulss12ve.tim.it Framed-Protocol = GPRS-PDP-Context Service-Type = Framed-User NAS-Port-Type = Virtual Calling-Station-Id = 393666140176 3GPP-PDP-Type = 0 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [IPASS] No '/' in User-Name = radiust...@ulssve.lan, looking up realm NULL [IPASS] Found realm NULL [IPASS] Adding Stripped-User-Name = radiust...@ulssve.lan [IPASS] Adding Realm = NULL [IPASS] Authentication realm is LOCAL. ++[IPASS] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by radiust...@ulssve.lan with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - radiust...@ulssve.lan attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 15 to 172.30.100.2 port 54247 Waking up in 4.9 seconds. Cleaning up request 3 ID 15 with timestamp +119 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/I-would-like-help-for-Freeradius-integration-on-AD-domain-tp4441969p4441969.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I would like help for Freeradius integration on AD domain
edgardolenza wrote: -the client radius sends authentication requests to the freeradius (using CHAP) -freeradius has to ask to AD if the user can be authenticated This is impossible. http://deployingradius.com/documents/protocols/compatibility.html See the NT Hash column. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I would like help for Freeradius integration on AD domain
Hi Alan, Is this a STANDARD? Excuse me but I'm not expert on this things. Have you got suggestions on how to implement this? Isn't it possible to create a copy of the AD's users on a local Database? Do you know if there ara other solutions? Thank you very much. Eddy PS: I've also tried with PAP, I'll send the debug info soon, but the problem is the same. -- View this message in context: http://freeradius.1045715.n5.nabble.com/I-would-like-help-for-Freeradius-integration-on-AD-domain-tp4441969p4442061.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I would like help for Freeradius integration on AD domain
edgardolenza wrote: Is this a STANDARD? I have no idea what you mean by that. Excuse me but I'm not expert on this things. What's so hard about reading that web page? Have you got suggestions on how to implement this? What part of impossible is unclear? Isn't it possible to create a copy of the AD's users on a local Database? Go ask Microsoft. The answer will likely be no. Do you know if there ara other solutions? Do you know the definition of impossible? PS: I've also tried with PAP, I'll send the debug info soon, but the problem is the same. Yes. You've butchered your configuration so that it doesn't work. Don't do that. See man radiusd for reasons why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I would like help for Freeradius integration on AD domain
On 31/05/11 14:39, edgardolenza wrote: Hello everybody, Hello I apologize because I'm new with linux and freeradius also. I've readen many forums and many howtos but I've got some trouble with user authentication on domain controller. This is my working layout: -I've got an appliance (radius client) getting authentication requests from users. -the client radius sends authentication requests to the freeradius (using CHAP) -freeradius has to ask to AD if the user can be authenticated If you want to use AD, you'll be needing to use MSCHAPv2, realistically. Most likely inside PEAP, as this is what the MS supplicants use. Others may also play with EAP-TTLS, but from what I've seen dealing with 802.1x stuff here, it's nearly always MS-CHAPv2 on the inside (although there are sometimes others available as well) I've configured many things and I've done many tests: freeradius server seems working correctly. The machine is in Microsoft domain, I'm able to make queries on ADs. When I try to authenticate with domain's I've got problems: I've put the debug on bottom of this message. You need to make sure the freeradius server is joined to the domain (therefore Samba must be installed). Also, you'll need winbindd running. *snip* Module: Instantiating module mschap from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = /user/bin/ntlm_auth --request-nt-key --username=radiustest } Obviously you'll be wanting to fix the ntlm_auth line as well. Hope this helps. -- Martin GoldstoneKeele University, Keele, IT Systems AdministratorStaffordshire, United Kingdom, ST5 5BG Finance ITTelephone: +44 1782 734457 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html